This post contains a lot of code, presented as close as possible to the code ChatGPT gave me. I’m including it here so people can see how good or bad they think it is. Where necessary I modified the code to make it work, but it’s as close as possible. All this code makes the post look longer than it is. If you’re not interested in the code then you can just skip over it and just read my words :-)
There’s a theme going around that you should create secure products, not buy security products. And, as far as it goes, this is… Well, actually it’s not good. My initial response was “Why not both?” We need to secure the products we develop. There’s no doubt about that. And we need to mitigate mistakes. How do we do this? Spoiler… security products :-) In response to this I got a message “If you have secure products, you do not need security products.
When it comes to talking about API Security there are many facets and paths the conversation can take. We might want to talk about from an AppDev security perspective; after all, an API is just code, so your SAST/DAST type processes apply. We might want to talk about it in terms of authentication; after all, you need credentials to access an API and there’s many different ways this can be done (Basic Auth, mutual TLS, Oauth, HMAC…); this would also include when anonymous APIs are OK!
Recently I was invited to be part of a panel on Microservice Security. The fools! Normally on these panels they want you to talk for 5-ish minutes; unfortunately I came up with about 15 minutes worth of material! That’s perfect for a blog :-) Older designs Before I talk about microservices I want to take a look at older designs Monoliths. A “monolith” is pretty much an “all in one” application.
